---
description: OIDC provider configuration for IBM Security Access Manager (recently renamed to IBM Security Verify Access)
---

## IBM ISAM

The [IBM ISAM](https://www.ibm.com/de-de/products/verify-access) identity provider
returns group membership claims as a space-separated list of strings (e.g.
`groups: "group-1 group-2"`) instead of a list of strings.

To properly obtain group membership when using IBMISAM as the identity provider for
OpenBao's OIDC Auth Method, the `ibmisam` provider must be explicitly configured as
shown below.

```shell
bao write auth/oidc/config -<<"EOH"
{
   "oidc_client_id": "your_client_id",
   "oidc_client_secret": "your_client_secret",
   "default_role": "your_default_role",
   "oidc_discovery_url": "https://your.idp.host",
   "provider_config": {
      "provider": "ibmisam"
   }
}
EOH
```

This will instruct the OIDC Auth Method to parse the space-separated groups claims string
into individual groups. Note that the role's [`groups_claim`](/api-docs/auth/jwt#groups_claim)
value must be properly configured to target the groups claim for your IBM ISAM identity
provider.
